Overview

overview

7

Static

static

3

58effa98ab...78.exe

windows7-x64

7

58effa98ab...78.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe

  • Size

    1.1MB

  • MD5

    76b4ecdd69ea4b912c166a958aedf825

  • SHA1

    05ae56ed405efc7eb03b5373704c86819e1d5c26

  • SHA256

    58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778

  • SHA512

    0e08fb35127f9916624a578a99d736e8ffee380385b90d64ad6b9a83bbd80bf848624e6ba61eb12ce027f6fc802484659b0f7c9c1acfce671dfe2453251d83fa

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q/:CcaClSFlG4ZM7QzM4

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe
    "C:\Users\Admin\AppData\Local\Temp\58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3628
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5164
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4844
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4572
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2456
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:4936
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:672
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    753B

    MD5

    cce7bb0f880269e30b58133160b5bae3

    SHA1

    5aeb2352f5e7038dd2cb911f8fd1ef75ca43597b

    SHA256

    bf4441e3987832605801c29e5895b60c450f716846e7a677cb2c5ad0fc58b6ce

    SHA512

    b09d304ae9cc80bdfee7f09f79da1bec2a2ba413e5fde8153e4b27771f52389e92e5628013d50d42fc434646db2dbbb549dd8aecdbc37f2ddb046c355727f61e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    696B

    MD5

    9d9867376c8284245aea97643987cadf

    SHA1

    fe6a7bd23577feb841e3cbeae6aebd38a742b0a5

    SHA256

    b31c91bdbe14673b004567163ddea094dd6bd903f62c5a57c3b3f79268021fb4

    SHA512

    2dc179cf9f71aae049072f62e06951537e38c6070d79d98aaaa94d2b1b53edd6550f6d1c61a2ffc117ed53791689b59c50826bb506cf22cb01235da522d623a1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    696B

    MD5

    1ca638ab56e1883ffe75969d1d8c4a61

    SHA1

    2f32fe1ad07a21f4aade2693ef174e30427e4f26

    SHA256

    ab716890ffa3b303c706ba2fc2ff48ba57e82b94b3bb3198cbb5700d74218c9d

    SHA512

    91f259046507902e077ac73aa23005f33cb3f93b6822e325bf3dd785b7616128bae36e13ba016f6a67cdddedef644d9cf44d49bba7d989dc5e59b93d446d626c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    1b8bde74dec7bf39663575ae5f22946e

    SHA1

    90b0c0241fd71019379dcd1a431a190ab1d70459

    SHA256

    564217c4bb3af839fd3f9175014ddbe72a26f21556b7030fb8a9fb7553b643bc

    SHA512

    591db8492a99be21fd1a295f0f9560efa8e7e37055d9f062738390c35b1a95bcd63017a103b32070cb639b47e6f8908d69613374fe12eac2aeb15910daa40346

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    3860451eadeeb4d99feebde8b07c3c5c

    SHA1

    f683e42971a22ff93085e1a9ccf0cd10219be134

    SHA256

    e04eaa2934f3b8b90da86dabcb13316358154f7dc90eacff56a9759a3b7e935f

    SHA512

    f9eb01e43d6411a06fb10ca2a176056c1b3820751001f4f92cf19fb19ff60c04becee0bc10b294b1d0c298d102563bcad31813897408e99c86dd8aaca6f28df8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    d6b5fe7caee181173abea10f7f83a6e1

    SHA1

    603cf8a17f38e77bbded4d56612be96859a60bbc

    SHA256

    fbe532ac10ba26439785443b85cfd094fb4a01deb62df7b6645174d0141c7eee

    SHA512

    13c1b43ccb9b19041715e5eb82a92587756b7f394eb79ef42922b7d93cda7f557ad50561b3ac4c3b91e7dd1ef76b7170600f17c3bac198d549ddae73128ca117

    Download Submit

  • memory/3080-8-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB

    Download